Ubuntu
openvpn package

OpenVPN Client Ignores DNS

Bug #691723 reported by Cerin on 2010-12-17

This bug affects 6 people

Affects		Status	Importance	Assigned to	Milestone
	openvpn (Ubuntu)	Expired	Undecided	Unassigned

Bug Description

Binary package hint: openvpn

The openvpn client does not correctly update /etc/resolv.conf with DNS data provided by the openvpn server.

The log shows the client is receiving control messages containing valid DNS.

e.g. Fri Dec 17 16:17:35 2010 PUSH: Received control message: 'PUSH_REPLY,route 10.123.10.0 255.255.255.0,dhcp-option DNS 10.123.10.12,dhcp-option DOMAIN mydomain.com,route 10.88.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.88.0.38 10.88.0.37'

However, I'm unable to resolve any VPN-specific domains until I manually add the DNS and DOMAIN values to my /etc/resolv.conf. Even then, the mechanism that normally maintains this file appears to periodically revert the file to the original values.

I've tried installing both Network-Manager xor Wicd network managers, as well as resolvconf, but I'm still required to manually edit /etc/resolv.conf in order to use my VPN.

Openvpn, or some proxy program for openvpn, should update /etc/resolv.conf with the DNS and DOMAIN received through control messages. e.g.

domain mydomain.com
search mydomain.com
nameserver 10.123.10.12

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: openvpn 2.1.0-1ubuntu1.1
Uname: Linux 2.6.32-020632-generic x86_64
NonfreeKernelModules: wl nvidia
Architecture: amd64
Date: Fri Dec 17 16:15:17 2010
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release amd64 (20091027)
ProcEnviron:
PATH=(custom, user)
LANG=en_US.utf8
SHELL=/bin/bash
SourcePackage: openvpn

Tags:

Revision history for this message

Cerin (chrisspen) wrote on 2010-12-17:

Dependencies.txt Edit (1.1 KiB, text/plain; charset="utf-8")

Revision history for this message

Thierry Carrez (ttx) wrote on 2010-12-22:

This is what /etc/openvpn/update-resolv-conf should do. This is not done automatically, you have to enable it in your openvpn config.
Do you have the following in your openvpn configuration:

up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Changed in openvpn (Ubuntu):
status:	New → Incomplete

Revision history for this message

Cerin (chrisspen) wrote on 2010-12-22:

I added those two lines to the end of my vpn.conf, which I execute like:

sudo openvpn --config vpn.conf

However, after the script reports "Initialization compete", the only data added to my resolve.conf are two nameserver entries, neither of which is the nameserver specified in the push command. The domain and search entries aren't added either. Therefore, I'm still unable to resolve domains inside the VPN.

The following are the contents of my vpn.conf file:

client
dev tun
script-security 2
proto udp
remote 10.23.45.123 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert myuser.crt
key myuser.key
comp-lzo
verb 3
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Are there any other directives that I should add?

Revision history for this message

Thierry Carrez (ttx) wrote on 2011-01-05:

Hm, I think the problem comes from using directly OpenVPN with a NetworkManager than owns resolv.conf. Both try to overwrite resolv.conf and NM wins. You should either configure network outside NM (using /etc/network/interfaces), or use network-manager-openvpn for an hopefully integrated experience...

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-04-21:

[Expired for openvpn (Ubuntu) because there has been no activity for 60 days.]

Changed in openvpn (Ubuntu):
status:	Incomplete → Expired

Revision history for this message

zasran (erik-zasran) wrote on 2014-03-05:

Can this be fixed? Think it's obvious it's broken and it makes using openvpn fairly inconvenient, i.e. command line usage essentially does not work. Using it from network manager seems to be sort of working but network manager does not understand the config file (does not get all gateway servers, does not get the certificates from the config file).